Sample Management Awareness Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
==Document History==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Version'''
| bgcolor="#C0C0C0" | '''Date'''
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2010 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 January 2011 '''<Date>'''
|}
<br>
=='''Sample Management Security Awareness Standard'''==
=='''Sample Management Security Awareness Standard'''==
<br>
<br>
The '''<Your Company Name>''' (the "Company) Security Awareness Policy defines objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Information Security Program Charter and associated policies and standards.<br>
The '''<Your Company Name>''' (the "Company) [[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']] defines objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']] and associated policies and standards.<br>
<br>
<br>
This Management Security Awareness Standard builds on the objectives established in the Security Awareness Policy, and provides specific instructions and requirements for providing security awareness education and training for the Company management.<br>
This Management Security Awareness Standard builds on the objectives established in the [[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']], and provides specific instructions and requirements for providing security awareness education and training for the Company management.<br>
<br>
<br>
=='''I. Scope'''==
=='''I. Scope'''==
Line 9: Line 36:
All Company managers of employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems are covered by this standard and must comply with associated guidelines and procedures.<br>
All Company managers of employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems are covered by this standard and must comply with associated guidelines and procedures.<br>
<br>
<br>
Information assets are defined in the Asset Identification and Classification Policy.<br>
Information assets are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
<br>
=='''II. Requirements'''==
=='''II. Requirements'''==
Line 20: Line 47:
::B. Policies<br>
::B. Policies<br>
:::1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following policies:<br>
:::1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following policies:<br>
:::* All topics and policies for employees<br>
:::*All topics and policies for employees<br>
:::* Asset Management Policy
:::*[[Sample Asset Management Policy:|'''Sample Asset Management Policy''']]
:::* Vulnerability Assessment and Management Policy<br>
:::*[[Sample Vulnerability Assessment and Management Policy:|'''Sample Vulnerability Assessment and Management Policy''']]<br>
:::* Threat Assessment and Monitoring Policy<br>
:::*[[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Policy''']]<br>
:::* Security Awareness Policy <br>
:::*[[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']]<br>
<br>
<br>
::C. Standards<br>
::C. Standards<br>
:::1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following standards:<br>
:::1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following standards:<br>
:::* Encryption Standard<br>
:::*[[Sample Encryption Standard:|'''Sample Encryption Standard''']]<br>
:::* Integrity Protection Standard<br>
:::*[[Sample Integrity Protection Standard:|'''Sample Integrity Protection Standard''']]<br>
:::* Availability Protection Standard<br>
:::*[[Sample Availability Protection Standard:|'''Sample Availability Protection Standard''']]<br>
:::* Change Control Standard<br>
:::*[[Sample Change Control Standard:|'''Sample Change Control Standard''']]<br>
:::* Vulnerability Assessment Standard<br>
:::*[[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']]<br>
:::* Vulnerability Management Standard<br>
:::*[[Sample Vulnerability Management Standard:|'''Sample Vulnerability Management Standard''']]<br>
:::* Threat Assessment Standard<br>
:::*[[Sample Threat Assessment Standard:|'''Sample Threat Assessment Standard''']]<br>
:::* Incident Response Standard<br>
:::*[[Sample Incident Response Standard:|'''Sample Incident Response Standard''']]<br>
<br>
<br>
=='''IV. Responsibilities'''==
=='''IV. Responsibilities'''==
Line 41: Line 68:
The Chief Information Security Officer (CISO) approves the Management Security Awareness Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Management Security Awareness Standard.<br>
The Chief Information Security Officer (CISO) approves the Management Security Awareness Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Management Security Awareness Standard.<br>
<br>
<br>
Company management is responsible for ensuring employees within their area of responsibility cooperate with Company security awareness and training efforts; ensuring employees within their area of responsibility receive the proper Information Security awareness and training in accordance with the Security Awareness Policy and associated standards and guidelines; and ensuring the effective communication of relevant security issues with the Information Security Department.<br>
Company management is responsible for ensuring employees within their area of responsibility cooperate with Company security awareness and training efforts; ensuring employees within their area of responsibility receive the proper Information Security awareness and training in accordance with the [[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']] and associated standards and guidelines; and ensuring the effective communication of relevant security issues with the Information Security Department.<br>
<br>
<br>
=='''V. Enforcement and Exception Handling'''==
=='''V. Enforcement and Exception Handling'''==
Line 51: Line 78:
=='''VI. Review and Revision'''==
=='''VI. Review and Revision'''==
<br>
<br>
The Management Security Awareness Standard will be reviewed and revised in accordance with the Information Security Program Charter.<br>
The Management Security Awareness Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
<br>
Approved: _______________________________________________________<br>
Approved: _______________________________________________________<br>

Latest revision as of 14:02, 1 May 2010

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Management Security Awareness Standard


The <Your Company Name> (the "Company) Sample Security Awareness Policy defines objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Sample Information Security Program Charter and associated policies and standards.

This Management Security Awareness Standard builds on the objectives established in the Sample Security Awareness Policy, and provides specific instructions and requirements for providing security awareness education and training for the Company management.

I. Scope


All Company managers of employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems are covered by this standard and must comply with associated guidelines and procedures.

Information assets are defined in the Sample Asset Identification and Classification Policy.

II. Requirements


A. General
1. Newly hired managers will receive the appropriate security awareness training within one month of their effective start date.
2. Managers will receive appropriate security awareness training on an annual basis.
3. Managers will be made aware of significant Information Security issues and topics as necessary.


B. Policies
1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following policies:


C. Standards
1. Information security awareness training for management should cover all topics and standards for employees or Users, as well as the following standards:


IV. Responsibilities


The Chief Information Security Officer (CISO) approves the Management Security Awareness Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Management Security Awareness Standard.

Company management is responsible for ensuring employees within their area of responsibility cooperate with Company security awareness and training efforts; ensuring employees within their area of responsibility receive the proper Information Security awareness and training in accordance with the Sample Security Awareness Policy and associated standards and guidelines; and ensuring the effective communication of relevant security issues with the Information Security Department.

V. Enforcement and Exception Handling


Failure to comply with the Management Security Awareness Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Management Security Awareness Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Management Security Awareness Standard.

VI. Review and Revision


The Management Security Awareness Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer